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Abstract 

In this work we describe an explicit, simple, construction of large subsets of F", where F 
is a finite field, that have small intersection with every /c-dimensional affine subspace. Interest 
in the explicit construction of such sets, termed subspace- evasive sets, started in the work of 
Pudlak and Rodl |PR04| who showed how such constructions over the binary field can be used 
to construct explicit Ramsey graphs. More recently, Guruswami |Gurll] showed that, over large 
finite fields (of size polynomial in n), subspace evasive sets can be used to obtain explicit list- 
decodable codes with optimal rate and constant list-size. In this work we construct subspace 
evasive sets over large fields and use them, as described in |Gurll] . to reduce the list size of 
folded Reed-Solomon codes form poly(n) to a constant. 

1 Introduction 

1.1 Subspace evasive sets 

Defined formally, a (k, c)-subspace evasive set S C F" lias intersection of size at most c with every 
fc-dimensional affine subspace C F". This definition makes sense over finite fields, as well as 
over infinite fields. Over finite fields, a simple probabilistic argument shows that a random set S of 
size IFI^^"*^)" will have intersection of size at most c{k,e) = 0{k/e) with any fc-dimensional affine 
subspace H. In this work we give the first explicit construction of a subspace-evasive set S of size 
that has intersection size at most c{k, e) = {k/e)^ with every /c-dimensional affine subspace 
H. This is stated in the next theorem. We postpone the exact definition of the term explicit to 
the following sections (see Theorem 13.21 for the formal statement of this theorem and Section H] for 
a discussion of explicitness) . 

Theorem 1 (Main theorem). For any finite field F and parameters /c > l,e > there exists an 
explicit construction of a set S" C F" of size \S\ > |F|(-'^^'^)" that is {k,c{k,e))- sub space evasive with 
c{k,e) = {k/e)K 

While being far from the optimal bound of 0{k/e) and despite being exponential in k, the 
bound we obtain is useful when k is small and the field is sufficiently large. As we will see below, 
this is precisely the setting that was raised by Guruswami in connection to error correcting codes. 
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The main ingredient in our construction is an explicit family of degree d polynomials fi, ■ ■ ■ , fk S 
¥[xi, . . . , Xn], for all < n < |F|, such that for every injective (i.e full rank) affine map : F'^ i— t- 
the system of equations 

fMtu...,tk)) = o 



fk{e{h, . . . ,tk)) = 0. 

has at most d'^ solutions. The degree d can be any number between n and |F|. Using algebraic- 
geometry terminology, the set of common zeros of /i, • • • forms an (n — A;)-dimensional vari- 
ety which has finite intersection with any k dimensional affine sub-space. We call such varieties 
everywhere-finite varieties (see Section [2] for a longer discussion of this particular choice of name) . 

Constructing subspace evasive sets as in Theorem [T] is then obtained by partitioning the n coor- 
dinates of the space into blocks of size k/e and applying the basic construction (of an everywhere- 
finite variety) on each block independently. The polynomials we use in the basic construction are 
extremely simple (weighted sums of powers of variables) which makes the final construction explicit 
enough to be useful for the list-decoding application described in [Gurll] (allowing for both efficient 
encoding and list-decoding) . Our proofs are elementary and do not use any sophisticated algebraic 
machinery (apart from Bezout's theorem) 



1.2 List-decodable codes 



An error-correcting code allows one to encode a message into a codeword so that encodings of 
different messages differ in many coordinates. This allows one to recover the original message from 
an encoding that is corrupted in a small number of coordinates. More formally, A code is a subset 
C C S™", where S is some finite alphabet. The rate of the code is denoted R = ^"og*]^!; and the 
distance of the code, denoted p, is the minimal Hamming distance between two codewords divided 
by m. It is easy to show that p < 1 — R and that unique decoding (i.e decoding a message uniquely 
from a corrupted codeword) is only possible from a fraction (1 — R)/2 of errors. When the number 
of errors goes beyond (1 — R)/2 one has to be satisfied with list- decoding, in which a short list of 
possible messages is returned (i.e all messages whose encodings are close to the received word). 
Non explicitly, one can show the existence of a code that can be list-decoded from 1 — R — e errors 
with list-size bounded by 0(l/e). Obtaining an explicit construction of such a code (with efficient 
encoding/decoding) is a major open problem in coding theory. The first work to give explicit codes 
that can be list-decoded from 1 — R — e errors was the paper of Guruswami and Rudra |GR08] 
which builds on earlier work by Parvaresh and Vardi |PV05j . Their work showed that a certain 
family of codes, called folded Reed-Solomon (RS) codes can be list-decoded from 1 — R — e errors 
with list size bounded by m^^^^''\ where m is the number of coordinates (or block length) of the 
code. 

In a recent work, Guruswami [Gurll] gave a new list-decoding algorithm for folded RS codes 
which have some nice advantages over previous decoding algorithms. Among these advantages is 
the property that the list of possible messages, returned by the decoder, is contained in a low 

^We do use Weil's exponential sum estimates to analyze a certain variant of the construction but this part of the 
proof can be omitted by choosing the polynomials fi, . . . , fk more carefully (as described in Section |4]). 
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dimensional subspace. More precisely, the code represents messages as elements of F", where F is 
a finite field of size g ~ n, and the list returned by the decoder is (quite surprisingly) a subspace 
of dimension 0(l/e). This immediately gives the size bound for the list of mentioned above 

but also shows a way for improving further the list size. Guruswami observed that restricting the 
messages to come from a ((1/e), c(e))-evasive set S C F", instead of coming from the entire space 
F", will reduce the list size to c(e) and remove the dependency on the block length. In order for 
the rate to not degrade by much we need the size of S to be sufficiently large, say \S\ > IFI^^""^)". 

For this application to produce codes with efficient encoding/decoding, the evasive set S must 
satisfy two explicitness conditions. The first is that messages can be encoded and decoded efficiently 
into S. The second condition is that, given a subspace (say, as a list of basis vectors), one can 
efficiently compute the intersection of this subspace with S. Our construction of subspace evasive 
sets satisfies both of these conditions (see Section and so we obtain the following theorem. 

Theorem 2. For every R and e, there exists an explicit family of codes C C S*" with rate R that 
can he list- decoded from a fraction 1 — R — e of errors in quadratic time and with list size {l/e)^^^^^\ 

The use of evasive sets to enhance list-decoding is completely black-box and only uses the 
property that the returned list is a subspace of a certain dimension in a sufficiently large field. We 
give the proof of Theorem [2] in Section [5l stating the relevant claims from [Gurllj that are needed 
for the black-box application. 

Following |Gurllj , Guruswami and Wang [GWll] showed another family of codes with optimal 
distance list decoding and with the additional property that the list returned by the decoder is a 
subspace. This family of codes, called derivative codes (also called multiplicity codes in |KSY11| ). 
obtains roughly the same parameters as folded RS codes and can be also combined with our 
construction of evasive sets in the same way to reduce the list size. 

1.3 AfRne and two-source extractors 

The work of Pudlak and Rodl |PR04j showed that constructing (n/2, c)-subspace evasive sets C Fj 
gives explicit constructions of bipartite Ramsey graphs. These are bipartite graphs that do not 
contain bipartite cliques or independent sets of certain size. A recent work of Ben-Sasson and Zewi 
[BSZll] explored this connection further and showed (under some number theoretic conjectures) 
that such sets can also be used to construct two-source extractors which are strong variants of 
bipartite Ramsey graphs. Another application given in [BSZll] was to the construction of affine 
extractors which are functions that have uniform output whenever the input chosen uniformly from 
a subspace of sufficiently high dimension. Both of these applications require that the construction 
be over a field of two elements. Our construction requires the field to be at least of size n and 
so is not useful for these applications. An important direction for progress is to generalize our 
construction for smaller fields. Alternatively, one can try to generalize the approach of [BSZllj to 
larger fields and then try to use our construction to obtain better extractors (affine or two-source). 

1.4 Organization 

Section [2] contains the main construction of everywhere-finite varieties (Theorem 12. 4p . In Section [3l 
we show how to compose this basic construction to obtain our main theorem, Theorem 13.2] which 
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gives explicit evasive sets. In Section U] we prove several claims which deal with the explicitness 
of our construction, and use them, in Section [5] to derive Theorem [2l Appendix |A] contains some 
basic results on Fourier analysis that are used in part of Section [3j 

2 Everywhere-finite varieties 

Let F be a field and F its algebraic closure (recall that the algebraic closure is always infinite, even 
if F is finite). A variety in F is the set of common zeros of one or more polynomials. Given k 
polynomials /i, . . . , G F[xi, . . . , we denote the variety they define as 

V(/i, . . . , /fc) := {x G r I = . . . = Mx) = 0}. 

The dimension of a variety is a generalization of the notion of dimension for subspaces and can 
be thought of, informally, as the number of 'degrees of freedom' the variety has. In particular, k 
generic polynomials fi, ■ ■ ■ , fk define a variety V(/i, . . . , Z^) of dimension n — k. It is well known 
that the intersection of an (n — A;)-dimensional variety C F with a generic k dimensional affine 
subspace H c¥ is finitH. In the following we will not rely on any of these properties and keep the 
discussion self-contained. Our main result in this section is a construction of an explicit variety V 
where this holds for all affine subspaces H of dimension k. Using Bezout's theorem (Theorem 12. 2 h 
and the bound on the degrees of the polynomials defining V we will also get an explicit uniform 
bound on the size of the intersections |V n We start with the formal definition. 

Definition 2.1 (Everywhere-finite variety). Let fi,...,fk £ F[xi, . . . , x„] be polynomials. The 
variety V = V(/i, . . . , fk) is everywhere-finite if for any affine subspace H C ¥ of dimension k, 
the intersection \ r\ H is finite. 

The importance of showing that the intersection is finite comes from Bezout's theorem, which 
allows one to give explicit bounds on the intersection size, given that it is finite. This result can be 
found in most introductory texts on Algebraic Geometry |Sha94j (for an elementary proof of this 
particular formulation see |Sch95j ). 

Theorem 2.2 (Bezout). Let gi, . . . , G ¥[ti, . . . ,tk] be polynomials. IfY{gi,...,gk) is finite then 

k 

iv(5i,...,gfc)i < n^^§(^»)- 

i=l 

For everywhere-finite varieties this gives the following immediate corollary. 

Corollary 2.3. Let fi,...,fk G F[xi, . . . , j;^] be polynomials such that V = V(/i,...,/fc) is 

every where- finite. Then for any k-dimensional affine subspace H C ¥ we have 

k 

\YnH\<l[deg{fi). 

i=l 

^For a precise definition of dimension and proofs of its basic properties we refer the reader to any elementary text 
on Algebraic Geometry (e.g [Sha94]). 
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Proof. Let the fc-dimensional affine subspace H be given as the image of an affine map i = 
{ii, . . . , in) '■ IF — >• if". Let gi G F[ti, . . . ,tk] denote the restriction of fi to H, i.e. 

gi{tl, ■ ■ ■ ,tk) '■= fi{h{tl, . . . , tfc), . . . , in{ti, . . . , tk))- 

Clearly Vn// = V(5fi, . . . ,gk) and deg(5fj) < deg(/i). The corollary now follows from Theorem 1 2. 2 1 

□ 

We will now describe an explicit construction of an everywhere-finite variety. We will need the 
following definition: A k xn matrix (where A; < n) is k-regular if all its kx k minors are regular (i.e 
have non-zero determinant). For example, if F is a field with at least n distinct nonzero elements 
7i, . . . , 7„ then Aij = 7* is /c-regular. 

Theorem 2.4 (Construction of an everywhere-finite variety). Let 1 < k < n be parameters and¥ be 
a field. Let A be a kxn matrix with coefficients in F which is k-regular. Let di > d2 > ■ ■ ■ > dn > 1 
be integers. Let the polynomials fi, . . . , fk G F[xi, . . . , x„] be defined as follows: 

n 

fi{x\, • • • ; ^n) ^ ^ -^ij ' j ' 

i=i 

Then V = V(/i, . . . , f^) is every where- finite. In particular, for any k-dimensional affine subspace 
H we have | V n i/| < {dif . 

We prove Theorem 12.41 in the remainder of this section. Let C F" be a A;-dimensional 
affine subspace. Our goal is to show that V n is finite, and then the size bound follows from 
Corollary 12.31 The first step is to present H as the image of an affine map £ : f'^ 1— )• F" with a 
convenient choice of basis. In the following let i = (ti, . . . , t/j) G F and x = (xi, . . . , Xn) G F". 

Claim 2.5. There exists an affine map £ = {£1, . . . ,£n) : F*" — t- F" whose image is H and such that 
the following holds. There exist k indices 1 < ji < j2 < ■ ■ ■ < jk ^ n such that 

1. For all ie[k], £j^{t) = ti. 

2. If j < ji then £j{t) G F (i.e ij is constant). 

3. If j < ji for i > 1 then £j{t) is an affine function just of the variables ti,t2, ■ ■ ■ , ti-i. 

Proof. Let : F^ — )• F" be an arbitrary affine map whose image is H. We construct ^ by a basis 
change of £' which puts it in an upper-echelon form. That is, let j'l be the minimal index such that 
£'j-^^{t) is not constant. We take ^ji(t) = ti. Let j2 be the minimal index after ji such that £'j^{t) 
is not an affine function of i'j^{t). We take £j2{t) = t2, and we have that £j{t) for ji < j < j2 are 
affine functions of ti. Generally, let ji be the minimal index after such that £'j-{t) is not an 
affine function of £'j-^{t), . . . ,£'j-_-^{t). We take £ji{t) = ti and have that £j{t) for < j < ji are 
affine functions of ti, . . . ,ti-i. Obviously, for j > j^ we have that £j{t) are affine functions of all 
ti,...,tk. □ 
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Let I = {ii,...,en) : F be given by Claim 12.51 and let 1 < ji < j2 < • • • < Jfc ^ be the 

indices given by the claim. Let J := {ji, . . . ,jk}- Our goal is to show that the following system 
has a finite number of solutions: 

fi{£i{ti,...,tk),...,£n{ti,...,tk)) = 0, i£ [k]. 

Clearly, applying an invertible linear transformation on the set fi, ■ ■ ■ , fk (replacing each /j with 
a linear combination of /i, . . . , fk) will not affect the number of solutions. Our next step is to find 
such a linear transformation that will put the /j's in a more convenient form, eliminating some of 
their coefficients. 

Claim 2.6. Let f{x) = (/i(x), . . . , fk{x))- There exist k linearly independent vectors ui, . . . ,Uk G 
k 

F such that, for all i £ [k], 

(n„/(x))=xj'»+ J2 c^^-^f' (1) 

j€[n]\J 

where the coefficients Cij are elements of¥. 

Proof. Recall that by definition fi{x) = X^"=i ■ x'^^ where ^ is a /c-regular matrix. Let A' be 
the k X k minor of A given by restriction to columns ji, ■ ■ ■ ,jk- Since A is /c-regular we have that 
A' is regular. Let ui, . . . ,Uk G F'^ denote the rows of {A')^^. We thus have that UiA' = ei where ei 

is the i-th unit vector. That is, {ui,f{x)) = x^^' + Ylj(^j'^ij ' ^j'' where Cij is the inner product of 
Ui and the j-th column of A. □ 

Let ui, . . . ,Uk be the vectors given by Claim \2M and denote 

fi{x) := {ui,f{x)). 

Let us also denote 

9i{ti, ■ ■ ■ ,tk) := fi{£i{ti, . . . , tk), . . . , in{ti, • • • , tk)). 

Recall that, from the above discussion, our goal is to show that the system {gi{t) = : i G [k]} has 

k 

a finite number of solutions in F . By Claims 12.51 and 12.61 we have that 

9^it) = ^i''+ E c^i-^.W'^- (2) 

iG[n]\J 

We now perform one final transformation on our system. Contrary to the previous transformations 
which were linear transformations, this will be a polynomial transformation. Let 



k 



1=1 

and let 
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For i E [k] define 

hiih, . . . ,tk) := 5(j ( \ . . . 



We first note that in order to show that V(g(i, . . . ,51^.) is finite it suffices to show that V(/ii, . . . , hj^.) 
is finite. 

Claim 2.7. \V{g^, . . . , gk)\ < | V(/ii, . . . , %)| . 

Proof. For each w G ^{g) we can define w' £ V(/i) by letting w'^ be some Di root of Wi (it exists 
since F is algebraically closed). Clearly distinct elements in \^{g) are mapped to distinct elements 
mY{h). □ 

The reason for these transformations is that the final polynomials hi have a specifically nice 
form: they are the sum of tf^ with a polynomial of lower total degree. 

Claim 2.8. For all i G [k] we have that 

hi{ti,. . . ,tk) = tf + ri(ti,...,tfc) 

where deg(rj) < D. 
Proof. By definition 

h{t)=gi{t^\...,t^-)=tf>+ Cij-iX^-'-^tk")'^- 

jG[n]\J 

To prove the claim we need to show that deg(£j{t^^ , ■ ■ ■ , t^'')) < D/dj for all j ^ J. If j < ji then 
ij is constant. Otherwise let i E [k] be maximal such that j > ji. By Claim [231 we have that ij{t) 
is an affine function of ti, . . . , tj. Since Di < . . . < D)^ we have that 

deg(£,(tf^...,^f'=))<A = ^<^ 

since di > . . . > dn- □ 

To complete the proof of Theorem l2.4l we need to show that V(/ii , . . . , hk) is finite. This follows 
from a general bound for polynomials of the form hi{t) = tf + ri{t) where deg(rj) < D. 

Lemma 2.9. Let hi,...,hk E ¥[ti,...,tk] be polynomials such that hi(t) = tf + rj(t) where 
deg(ri) < D. Then V(/ii, . . . ,hk) < . 

Lemma 12.91 follows immediately from the following two claims. In the following, let R := 
F[ti, . . . , tfc] be the ring of polynomials; / := {hi, . . . , h^) be the ideal in R generated by /ii, . . . , h^; 
and M := R/I be their quotient. Note that M is a vector space over F. 

Claim 2.10. |V(/ii, . . . , /ifc)| < dimM. 
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Proof. Assume by contradiction there exist wi, . . . , Wm S V(/ii, . . . , hk) where m > dim(M). Let 
Qi G ¥[ti, . . . ,tk] be polynomials such that qi{wi) = 1 and qi{wj) = for all j ^ i. Let iji be 
the image of qi in M. Since m > dim(M) there must exist a nonzero linear dependency among 
qi, . . . ,qm- That is, there exist ci, . . . , Cm G F not all zero such that 

Ci ■ qi{t) = (in M). 

ie[m] 

Equivalently put, 

Ci ■ qi{t) G /. 

je[m] 

The key observation is that for any polynomial h{t) £ I we have that h{w) = for all w G 
{wi, . . . , Wm}- This is because hi{w) = for all i G [k] by assumption. Thus substituting t = Wj 
we get that 

= ^ Cj • qiiwj) = Cj, 

which contradicts the assumption that not all ci , . . . , Cm are nonzero. □ 
Claim 2.11. dimAf < D'' . 

Proof. We will show that M is spanned by the image in / of the monomials . . t^* where 
< ei, . . . , efc < D — 1. Thus in particular dimM < D^. In order to do so, we need to show that if 
q{t) is a polynomial then there exists a polynomial q(t) such that q — q €z I and the degree of each 
variable in q is at most D — 1. It suffices to show that if q{t) has some variable of degree at least D 
then we can find q such that q — q £ I and such that deg{q) < deg(g). The claim then follows by 
iterating this process until all variables have degrees below D. Moreover, it suffices to prove this 
in the case where q is a monomial, as this process can be applied to each monomial individually. 

Thus, let q{t) = . . . t'j!' be a monomial where Ci > D for some « G [k]. Define 

We have that deg{q) < deg(g) since deg(/ii(t) — ) < D hy assumption; and q{t) — q{t) = 
hi{t)t1'~^Y[j^i'^'j^ G / as required. □ 

3 Subspace Evasive sets 

In this section we construct subspace evasive sets, based on the construction of everywhere-finite 
varieties given in Theorem 12.41 We first recall the definition of subspace evasive sets. 

Definition 3.1 (Subspace evasive sets). Let S C F*^. We say S is {k, c)- sub space evasive if for all 
k-dimensional affine subspaces H c¥"' we have \S H\ < c. 
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We next give some necessary definitions. For polynomials fi, ■ ■ ■ , fk £ ^[xi, ■ ■ ■ , Xm] we define 
their common solutions in F"^ (as opposed to their solutions over the algebraic closure) as 

Vf(/i, ...Jk):= V(/i, ...,/,) n F'" = {x G F'" : = ... = Mx) = 0}. 

We say that a k x m matrix is strongly-regular if all its r x r minors are regular for all 1 < r < A:. 
For example, if F is a field with at least m distinct nonzero elements 71, . . . ,7m then Aij = 7*- is 
strongly-regular. 

Theorem 3.2. Let k > l,e > and ¥ be a finite field. Let m := k/e and assume m is integer 
and m divides n. Let A be a k x m matrix with coefficients in ¥ which is strongly-regular. Let 
di > . . . > dm be integers. For i G [k] let 

m 

fi{xi, . . . , Xm) '.= ^ ^ j' ■ Xj'' , 

i=i 

and define 5* C F" to be the {n/m)-times cartesian product 0/ Vf(/i, . . . , fk) C F*". That is 

S = VF(/l,...,/fc) X ... X VF(/l,...,/fc) 

= {x £¥"■ : fi{xtm+i, ■ ■ .,xtm+m) = 0, V < t < n/m, l<i<k}. 
Then S is {k^{di)^)- sub space evasive. Moreover, 

1. Ife< 1/10, di < |F|i/^ and |Fp > then \S\ > i|F|(i-^)". 

2. If at least k of the degrees di, . . . ,dm (ire co-prime to |F| — 1 then \S\ = IFI*^^"*^)". 

We prove Theorem 13.21 in the remainder of this section. We first show that Vf(/i, . . . , f^.) has 
small intersection with affine subspaces of dimension at most k (this is a stronger statement than 
the one we proved in Section [2] since the dimension of the subspace can be smaller than k) . 

Claim 3.3. Let H C F*" be an r-dimensional affine subspace for r < k. Then | Vf(/i, . . . , fk)riH\ < 

Proof Note that Vf(/i, ...,fk)nH = V(/i, ...,fk)nH since H C F". We will show that in fact 
|V(/i, . . . , fr) n H\ < (di)^ , from which the claim will follow since V(/i, . . . , f^) C V(/i, . . . , fr). 
Now, since the matrix A is strongly-regular, its restriction to the first r rows is r-regular; hence 
V(/i, . . . , fr) is everywhere-finite (as an (n — r)-dimensional variety) and, by Bezout's Theorem 
(Theorem[22D, we have |V(/i, . . . , fr) n H\ < (di)'". □ 

We now prove that S = Vf(/i, . . . , /fc)("/™) is subspace evasive for dimensions up to k. 
Claim 3.4. Let C F" be an r-dimensional affine subspace for r < k. Then \S D H\ < (di)^. 

Proof. Let Vf = Vf(/i, . . . , fk)- We prove the claim by induction of the number of blocks b = n/m. 
If 6 = 1 then S = Vp and the claim follows from Claim [331 We thus assume that 6 > 1. Decompose 
-ff as a disjoint union of subspsiccs bcisGd on the restriction to the first Tfi coordinates . . . jX^n 
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(i.e. the first block). That is, let T := {{xi, . . . ,Xm) '■ {xi, ■ ■ ■ G H} and for each t G T let 
Ht := {{xi, . . . , Xn) G H : (xi, . . . , Xm) = t}. Thus H = Ut^rHt and we have that 



|vj""n;f| 



E 



Now, since if is an affine subspace so is T. Let r' = dim{T) where < r' < r. We also have 
that Ht is an (r — r')-dimensional affine subspace for all t & T. Now by Claim 13.31 we have that 
|Vf n r| < {diY' ; and by induction we have that \Y^^"^'^ ^ n Ht\ < {diY^"^' for all t ^ T. Hence 
|V;j/™ r\H\< {diY as claimed. □ 



We now turn to prove the 'Moreover' part of Theorem l3.2l namely to lower bound the size of S. 
To do so, it is enough to bound the size of Vf(/i, . . . , fk) (since 5 is a product of such sets). We 
begin with the unrestricted case, where all we assume are some (rather weak) bounds on the size 
of the field. We refer the reader to Appendix [A] for the notations/preliminaries on Fourier analysis 
and Weil's theorem used in the proof. 



Claim 3.5. Assume that e < 1/10, di < \¥\^/^ and |F|™ > 
l/n)|Fp"'^'. In particular \S\ > |F|(i-^)"/3. 



Then |VF(/i,...,/fc)| > (1 



Proof. Let x 
that E7=i A. 



(J) 



A 



(xi, . . . ,Xm) G F'" be chosen uniformly. Our goal is to estimate the probability 
x^^ = for all i £ [k]. Equivalently, let X^^"^ G F'^ be a random variable defined as 

and let X := + . . . + We need to estimate the probability that X = 0^. 

To this end, we apply Fourier analysis (for definitions see Appendix |A]). Assume F = Fg where 
q = ]f . The characters of F*^ are given by Xa{x) = ep(Tr((a, x))) for a G F'^ where TV : Fg 
the trace operator. Since are independent we have that 



Fp is 



X{a) = nXa{X)] = E[Xa( 



m 

E- 



\x^^y)\ = \{nxa{x^n = \{x^'Ka). 

We proceed to estimate the Fourier coefficients of X^^\ Let A^^^ G F'^ denote the j-th column of 
A. We have that 

X(i)(a) = E,^,eF[ep(Tr((a,^(^')) • xf ))]. 
Thus, if the inner product of a and ^'-•'^ is nonzero, we have by the Weil bound (Theorem lA.ip that 



X(i)(a) 



< 



1 



IFI 



Since we assume A is strongly-regular, for any nonzero a G F"* there could by at most k — 1 columns 
of A which are orthogonal to a; hence we deduce that for any nonzero a, 

X{a) < (|F|-l/4)(m-fc+l) < |]F|-fe-m/8 < (^y^) . |]p|-fc 

by our choice of parameters. We now apply these bounds to estimate the probability that X = 0. 
We have that Pr[X = 0] = \¥\-'' Y.a ^(«) ^nd X{0) = 1; hence 



Pr[X = 0] - F 



-k 



<F-'=^|X(a)| < (l/n) • |F| 
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Thus |VF(/i,...,/fc)| > (l-l/n)F— = (1 - l/n)F(i-^)'" and |5| = | Vf(/i, . . . , /fc)!"/™ > 
(1/e) • |F|(i-^)". □ 

We now prove the second item of the 'Moreover' part of Theorem 13.21 in which we assume that 
at least k of the degrees di,. . . ,dn are co-prime to |F| — 1 and use this extra condition to obtain 
a precise quantity for the size of S. In Section |4] we show that this condition on the degrees is 
relatively easy to satisfy if we are the ones choosing the field F. 

Claim 3.6. // at least k of the degrees di,...,dm are co-prime to |F*| = |F| — 1 then 
|Vf(/i, ■■■Jk)\ = |F|"-^ This implies \S\ = |F|(i-^)". 

Proof. Let Vf = Vf(/i, . . . , fk)- Let dj-^, . . . , dj^^ be degrees among di, . . . ,dm co-prime to |F| — 1 
and let J = {ji, ■ ■ ■ ,jk}- We will show that for any setting of {xj : j ^ J} there exists a unique 
setting of {xj : j G J} which makes x € Vf- This will clearly show that |Vf| = |F|'"~'^ as claimed. 

Substitute xj = Cj G F for all j ^ J. We have that x G Vf if 

Let A' be the kxk minor of A given by restricting A to columns in J. Let y 
let 6 E F*^ be given by 6^ = - Aj ' 4' ' x G Vf if 

A'y = b. 

We have that A' is regular since A is strongly regular; hence there exists a unique solution y E F'^ 
for the linear system A'y = b. We now apply our assumption that each degree dj. is co-prime to 
|F*| = |F| — 1. This implies that raising to the dj. power in F is an automorphism of F*. That is, 

for each y^ there exists a unique solution to x^^;'' = yi where Xj. E F. □ 

4 Explicitness of the construction 

In this section we discuss the explicitness of our construction of subspace evasive sets. The construc- 
tion of everywhere- finite varieties accomplished in Theorem 12.41 is given as the zero set of explicitly 
defined polynomials. One can use our construction over any finite field, including F = which is 
convenient for applications. The construction requires an explicit strongly regular k x n matrix A. 
Such a matrix can be easily obtained when |F| > n by taking A.ij = 7*- where 71, . . . ,7„ E F are n 
nonzero distinct elements in F (this is because each k x k sub-matrix is a Vandermonde matrix). 

4.1 Efficient encoding of vectors as elements of S 

It is trivial to decide in polynomial time if a given point x E F" is in S or not. The first non-trivial 
issue regarding explicitness is how to sample an element of the set uniformly. More precisely, for an 
evasive set 5 C F" of size jFl'' we would like to have an efficiently computable bijection ip -.F^ S. 
This is needed for the list-decoding application (see Section [5]) because we would like to encode 



= (xf^^ , . . . , ) and 
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messages as strings in S without losing much in the rate of the code and so that we can efficiently 
recover the original messages from their representation as elements of S. We now show how one can 
sample from the variety Vf(/i, . . . , fk) efficiently (this is enough since the construction of evasive 
sets is a Cartesian product of such sets). We show this is simple when at least k of the degrees 
di, . . . , dm are co-prime to |F| — 1 (we will show below that this condition is easy to obtain). 

Claim 4.1. Assume that at least k of the degrees di, . . . ,dm are co-prime to |F| — 1. Then there 
is an easy to compute bijection ip : F™'"'^ — )• Vf(/i, . . . , /fc) C F™. Moreover, there are m — k 
coordinates in the output of ip that compute the identity mapping 

Proof. The proof is similar to the proof of Claim \3M Let dj^ , . . . , djj^ be degrees among di, . . . ,dm 
co-prime to |F| — 1 and let J = {ji, . . . We showed in Claim \3M that for any setting for 

{xj : j ^ J} there exists a unique setting of {xj : j £ J} which makes x £ \'f{fi, . . . , /fc). We now 
show that given this setting, the values of {xj : j £ J} can be found efficiently. Thus taking ip to 
be the identity map from to Ft'^l^"' and completing it uniquely to F"^ will give the required 

map. As we showed in Claim [3^ we have Xj^_' = yj where y = (yi, . . . , ym) is a unique solution to 
a linear system A'y = b, where A' , b are easy to compute and A' is regular. The value of y can be 
found by solving a linear system; and the value of xj- can be retrieved since xj. = y'-^ where Cj is 
the inverse of dj. modulo |F| — 1 (which exists by assumption). □ 

4.2 Computing the intersection with a given subspace 

Another important explicitness issue is how to efficiently compute the intersection of a (/c, c)- 
subspace evasive set 5" C F" with a given affine subspace H of dimension k. This question comes 
up in the list-decoding application when we obtain a subspace (given in some basis) that is supposed 
to contain all possible decodings of a corrupted codeword and we wish to 'ffiter-out' this subspace 
to obtain the list of elements in it that are also in S. One way of doing this is to go over all elements 
in H and to check for each whether or not it is in S (in our case by evaluating the k polynomials 
and checking that they are all zero). Using the specific structure of our construction we can do 
much better and output the set S" n -ff in polynomial time in the size of the intersection. 

Claim 4.2. Let S C be the {k,c) -subspace evasive set constructed in Theorem \ 3.S\ (for some 
choice of the parameter m and degrees di > ... > dm)- There exists an algorithm that, given a 
basis for any affine subspace H of dimension k, outputs S D H in time polynomial in the output 
size. 

Proof. This follows from powerful algorithms that can solve a system of polynomial equations (over 
finite fields) in time polynomial in the size of the output, provided that the number of solutions is 
finite in the algebraic closure (i.e the 'zero-dimensional' case). See for example |Laz92l [FGLM93] . In 
our basic construction of an everywhere finite variety, given as the common zero set of k polynomials 
fi, ■ ■ ■ , fk in n variables xi, . . . ,Xn, the intersection with a k dimensional affine subspace reduces 
to solving a system of k equations in k variables - simply substitute Xi = ii{ti, . . . , tk), where H is 
the image of the degree one map ^ : F'^ i— )• F". For the construction of the evasive set (which is the 
direct product of these simple varieties) we can use an iterative argument (similar to the proof of 
Theorem l3.2p . Recall that in our construction we partitioned the set of coordinates into consecutive 
blocks of length m - each containing an independent copy of a the variety V(/i, . . . , fk). In the 
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first step we solve a system of equations for the projection of H on the first m coordinates. If the 
dimension of this projection is ri then this step wih take time polynomial in {diY^ which is the 
bound on the number of solutions. For every fixing of the first m coordinates to a solution obtained 
in this step, we reduce the dimension of H by ri and obtain a new subspace H' on the remaining 
coordinates. Continuing in the same fashion with H' on the second block we can compute all 

solutions in time po\y{{diY^) ■ po\y{{diY'^) poly((di)''*), where ri + r2 + . . . + r£ = k. This will 

add up to a total of poly(((ii)^) running time, which is polynomial in the number of solutions. □ 

4.3 Generating a field with k degrees co-prime to |F| — 1 

We now address the condition, appearing in Theorem 13.21 and in Claim [4?T| that at least k of the 
degrees di > . . . > dm used in the construction are co- prime to |F| — 1. We will want to satisfy 
this condition, while still maintaining am reasonable bound on di (which is important since it 
determines the intersection size with subspaces). For certain fields it may be the case that |F| — 1 
has many small divisors, in which case di might have to be large. However, if one has the freedom 
of 'picking' the field size (as we do in the application to list-decoding) then this problem can be 
avoided. In essence, we need a (deterministic) way of generating a field F of size within some 
specified range and with at least k small integers co-prime to |F| — 1. The best bound on the k 
integers is 0{k) which can be obtained, for example, using 'safe' primes or primes of the form 2q + l 
for q prime. Since we do not know how to find a safe prime in a specified range (or even to show 
that infinitely many such primes exist!) we will have to resort to an asymptotically weaker bound 
as is given by the following claim. 

Claim 4.3. There exists a constant C > such that the following holds: There is a deterministic 
algorithm that, given integer inputs k,n so that n > fcC'iogiog'^^ runs in poly{n) time and returns a 
prime p and k integers k^^°^^"^^ > di > d2 > ■ ■ ■ > df^ > 1 such that: 

1. For all i e [k], gcd(p — 1, di) = 1. 

2. n<p < n - 

Proof. Let K be the product of the first [log2(fc -|- 1)] odd primes. By the prime number theorem, 
K < for some constant C" > 0. Let K > di > . . . > dkhe k distinct odd divisors of K. 

We will show how to chose the prime p as in the claim using results on the distribution of primes 
in arithmetic progressions (see [IK04J for more details). Property 1. will follow if our prime p will 
satisfy the congruence p = 2 mod K. Since K and 2 are co-prime, we know (see [IK04| ) that the 
number of primes smaller than x satisfying this congruence is asymptotically ■ ! where (j) is 
Euler's totient function. From this it follows that there exists a prime in the range [n, 2nK] that 
satisfies the congruence p = 2 mod K and, consequently, p — 1 is co prime to all the divisors of K. 
Finding this p in time polynomial in n is trivial since we can just try all integers in the range and 
test them for primality. □ 
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5 Proof of Theorem [2] 



In [Gurllj . Guruswami considers an explicit family of codes (folded Reed-Solomon codes) that are 
defined as the image of an explicit mapping 

where F = Fg is any finite field of size q and l<m<q — lisa multiple of r. Since our application 
is black-box (and applies to any code that shares the decoding properties listed below, such as the 
codes from [GWll] ) we omit the precise description of the code and refer the reader to |Gurll| for 
more details on the actual definition of C. 

In this setting, n is the message length, S = F'^ is the alphabet, N = m/r is the block length 
and R = n/m is the rate. Let e > be a sufficiently small constant and set k ^ 1/e and r 
Guruswami shows (Theorem 7 in [Gurllj ) that for the above choice of parameters: 

1. The mapping C can be computed in polynomial time. 

2. There exists a polynomial time algorithm that, given y G (F*")™/^, returns a basis to a subspace 

C F" of dimension k which contains all points x whose encoding C{x) has normalized 
hamming distance at most 1 — R — e from y. (In fact, this algorithm runs in time quadratic 
in its output length.) 

We now describe how to combine this code C with our construction of subspace evasive sets 
(Theorem 13. 2p to obtain a code C with shorter list size and without loosing too much in the 
decoding radius. Let S C F" be a (A;, c = c(/c,e)) subspace-evasive set obtained from Theorem 13.21 
Using Claim 1131 we can construct a finite field F of size between n and Oe(n) so that the first k 
degrees di,d2, . . . ^d^ used in the construction are co-prime to |F| — 1. From Claim we know 
that there is an efficiently computable bijection ip : F^^"*^)" — )■ C F". Consider the composed 
code C : F(i-^)" (F*-)™/^ defined as 

C'{x)=C{ip{x)). 

Let R' denote the rate of C. Then 

R' = {1- e)n/m = {1 - e) ■ R > R - e. 

First, we claim that the composed code C can be list-decoded with list size c(l/e, e) = (1/e)'^'-^/"^) 
from a fraction 

l-R-e>l-R'-2e 

of errors. This is since for every y S (F^ )"'/'', the subspace H C returned by the list-decoding 
algorithm for C contains at most c messages who lie in S. 

In order to maintain the efficiency of encoding and list-decoding of C, we need to guarantee 
three properties: 

(i) Encoding: the map ip should be computable in polynomial time. 

(ii) Decoding: the inverse map ip~^ should be computable in polynomial time. 
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(iii) List-decoding: for every subspace if C F" of dimension s, we can find in polynomial time the 
intersection 5" n C F". 

The first two items are guaranteed by Claim [4?H and the third by Claim [421 Using the property 
that the decoded given by Guruswami runs in quadratic time we get that the composed code C 
can be list-decoded (with the above parameters) in quadratic time (for all constant e > 0). This 
completes the proof of Theorem 13. 2i 
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A Fourier analysis 

Let F be a finite field. An additive character (e.g. Fourier basis) of F is a function x - ^ ^ such 
that x(^+2/) = x{x)x{y) for all a;, y G F. The set of characters form an orthogonal basis of functions 
from F to C. Let ep(x) := e'^'^'^^/v. The set of characters of F = ¥^1 for p prime and £ > 1 is given 

by Xa{x) = ep(Tr(ax)) for a G F^f, where the trace Tr : Fpf — )• Fp is defined as Tr(a;) = Yld=Q 
The constant function 1 is a trivial character for any field; any other character is called non-trivial. 
More generally, the characters of the vector space F™ are given by Xa{x) = ep(Tr((a, x))) where 
a = (ai, . . . ,am) G F"^, x = (xi, . . . ,Xrn) G F™ and (a,x) = aiXi + ...+ amXm- 

Let X be a random variable taking values in F™. Its Fourier coefficients X{a) for a G F"* are 
given by 

X{a) := J2 = ^^Xa{x); 

and for any x G F*", the Fourier inversion formula gives that 

Pr[X = x] = |F|— Yl 



Character sums The following result by Weil |Wei48j (see also |Sch04) ) is a strong tool which 
gives a bound on the average of a nontrivial character evaluated over the output of a low degree 
polynomial. 

Theorem A.l (Weil). Let f{x) he a non-constant degree d polynomial over a finite field F. Let 
X : F — )• C 6e a nontrivial additive character. Then \E,x(^y[x{x)\\ < ■^j=- 
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